First draft

SonarSource · Dec 19, 2023 · a08822c · a08822c
1 parent f706461
commit a08822c
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 28 deletions.
diff --git a/rules/S6869/kubernetes/metadata.json b/rules/S6869/kubernetes/metadata.json
@@ -1,6 +1,6 @@
 {
-  "title": "FIXME",
-  "type": "CODE_SMELL",
+  "title": "CPU limits should be enforced",
+  "type": "VULNERABILITY",
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
@@ -12,14 +12,18 @@
   "ruleSpecification": "RSPEC-6869",
   "sqKey": "S6869",
   "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      770
+    ]
+  },
   "defaultQualityProfiles": ["Sonar way"],
   "quickfix": "unknown",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH",
-      "RELIABILITY": "MEDIUM",
-      "SECURITY": "LOW"
+      "MAINTAINABILITY": "MEDIUM",
+      "SECURITY": "MEDIUM"
     },
-    "attribute": "CONVENTIONAL"
+    "attribute": "COMPLETE"
   }
-}
+}
diff --git a/rules/S6869/kubernetes/rule.adoc b/rules/S6869/kubernetes/rule.adoc
@@ -1,44 +1,74 @@
-FIXME: add a description
+== Why is this an issue?
 
-// If you want to factorize the description uncomment the following line and create the file.
-//include::../description.adoc[]
+A CPU limitation for a container is a specified boundary or restriction that
+determines the maximum amount of CPU resources that a container can utilize. It
+is a part of resource management in a containerized environment, and it is set
+to ensure that a single container does not monopolize the CPU resources of the
+host machine.
 
-== Why is this an issue?
+CPU limitations are important for maintaining a balanced and efficient system.
+They help in distributing resources fairly among different containers, ensuring
+that no single container can cause a system-wide slowdown by consuming more than
+its fair share of CPU resources.
+
+=== What is the potential impact?
+
+==== Performance degradation
+
+Without CPU limitations, a single container could monopolize all available CPU
+resources, leading to a system-wide slowdown. Other containers or processes on
+the same host might be deprived of the necessary CPU resources, causing them to
+function inefficiently.
 
-FIXME: remove the unused optional headers (that are commented out)
+==== System instability
 
-//=== What is the potential impact?
+In extreme cases, a container with no CPU limit could cause the host machine to
+become unresponsive. This can lead to system downtime and potential loss of
+data, disrupting critical operations and impacting system reliability.
 
 == How to fix it
-//== How to fix it in FRAMEWORK NAME
 
 === Code examples
 
 ==== Noncompliant code example
 
-[source,text,diff-id=1,diff-type=noncompliant]
+[source,yaml,diff-id=1,diff-type=noncompliant]
 ----
-FIXME
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example
+spec:
+  containers: # Noncompliant
+    - name: web
+      image: nginx
 ----
 
 ==== Compliant solution
 
-[source,text,diff-id=1,diff-type=compliant]
+[source,yaml,diff-id=1,diff-type=compliant]
 ----
-FIXME
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example
+spec:
+  containers:
+    - name: web
+      image: nginx
+      resources:
+        limits:
+          cpu: 0.5
 ----
 
-//=== How does this work?
+=== How does this work?
 
-//=== Pitfalls
+A limit can be set through the property `resources.limits.cpu` of a
+container. Alternatively, a default limit for a namespace can be set with
+`LimitRange`.
 
-//=== Going the extra mile
+== Resources
 
+=== Standards
 
-//== Resources
-//=== Documentation
-//=== Articles & blog posts
-//=== Conference presentations
-//=== Standards
-//=== External coding guidelines
-//=== Benchmarks
+* CWE - https://cwe.mitre.org/data/definitions/770[CWE-770 - Allocation of Resources Without Limits or Throttling]